Heartbleed data leak: Privacy watchdog says case closed for now

Security glitch more about 'vulnerability of the internet' than Revenue Canada's deficiency, watchdog says

The Heartbleed security glitch that led to the partial shutdown of Revenue Canada's website "exposed the vulnerability of the internet more than the deficiencies of any one dataholder," according to Canada's privacy commissioner. (CBC)

Related Stories

Canada's privacy watchdog has no plans to investigate further the recent breach that put the personal online financial data of thousands of Canadian tax filers at risk of unauthorized disclosure.

During an appearance before the House access to information and privacy committee, Interim Privacy Commissioner Chantal Bernier told MPs there is no active investigation into the Heartbleed security glitch that hit the Canada Revenue Agency e-filing site, as well as hundreds of other networks and online payment systems last month.

"Our technological analysis unit examined the issue … and explained to me that, in fact, it was an internet-wide issue that was probably not malicious."

Instead, she said, it was likely "an honest mistake that created a vulnerability that dataholders did not know about it, because no one knew about it, and, as we now know, was unfortunately exploited by some hackers."

The leak exposed "the vulnerability of the internet …. more than the deficiencies of any one dataholder," Bernier said.

"The only instance has been very quickly contained, and it seems — on the basis of what we know so far, and I reserve my position should I get more information — that there has been no management failing."

She also confirmed that, to date, the only agency to contact her office about the breach has been the CRA.

"I was informed of all the measures they were taking, including notifying individuals as well as technological measures."

Privacy, info watchdogs hit by budget cuts

Under questioning from opposition members, Bernier acknowledged that budget cuts may present a challenge in fulfilling her mandate — particularly when the pressure to belt-tighten comes as public awareness on the importance of privacy protection is on the rise.

In her opening statement, Bernier noted that, while she is "proud of our contributions to the Deficit Reduction Action Plan, it comes at a time when privacy matters continue to be of wide interest to the public.

"We must ensure we maintain our level of excellence in this context of reduced resources and increased interest."

Assistant information commissioner Emily McCarthy was even more candid during her appearance in the second hour of the meeting.

In her opening statement, she noted that, thanks to "cuts and other measures," Information Commissioner Suzanne Legault has seen her office budget has been reduced by nearly nine per cent over the past four fiscal years, and is now facing a two-year operational spending freeze.

"At the same time," McCarthy noted, their workload is expanding.

"In 2013-2014, we received 2,081 new complaints."

That represents an increase of 30 per cent over the previous year, she told the committee.

The combination of an increasing workload and shrinking resources have resulted in an average delay of six months between registration of a complaint and its assignment to an investigator, McCarthy told the committee.

"Under these circumstances, the commissioner is concerned about her continued ability to deliver on her mandate which would jeopardize the rights conferred by the act."

Even so, McCarthy noted that Legault has made it clear that she intends to continue her efforts to protect the access rights of Canadians.

"She has an ambitious agenda for this year … and a dedicated group of employees who will continue to make every effort to serve Canadians to the best of their ability."